From owner-freebsd-security  Tue Oct  1 15:31:55 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7813A37B401
	for <security@FreeBSD.ORG>; Tue,  1 Oct 2002 15:31:54 -0700 (PDT)
Received: from lariat.org (lariat.org [63.229.157.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9C66243E81
	for <security@FreeBSD.ORG>; Tue,  1 Oct 2002 15:31:52 -0700 (PDT)
	(envelope-from brett@lariat.org)
Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2])
	by lariat.org (8.9.3/8.9.3) with ESMTP id QAA23313;
	Tue, 1 Oct 2002 16:31:42 -0600 (MDT)
X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms.
Message-Id: <4.3.2.7.2.20021001162821.036c0530@localhost>
X-Sender: brett@localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.2
Date: Tue, 01 Oct 2002 16:31:39 -0600
To: "f.johan.beisser" <jan@caustic.org>
From: Brett Glass <brett@lariat.org>
Subject: Re: tar/security best practice (was Re: RE: Is FreeBSD's tar
  susceptible to this?)
Cc: security@FreeBSD.ORG
In-Reply-To: <20021001151050.F67581-100000@pogo.caustic.org>
References: <4.3.2.7.2.20021001160301.034597f0@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 04:21 PM 10/1/2002, f.johan.beisser wrote:

>if you're untarring something, shouldn't you review what you're looking at
>first anyway? 

Most people look at what's being untarred as it happens. They don't
expect upward directory traversal to be possible, so they don't
anticipate being hit in the way that this bug allows.

Also, even if one does list the contents of a large archive (say,
a complete distribution of Apache), you'd need to list it slowly
and read it critically. Even a really long file name will scroll
by FAST during a listing and could be missed.

Let's preserve the intended function of the program and also abide
by the POLA. I'm sure that this will get fixed sometime soon, but
what I'd *really* like is to see a quick patch in time for 4.7.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message